Search

Subscribe

Me at the RSA Conference

I'll be speaking twice at the RSA Conference this year. I'm giving a solo talk Tuesday at 1:00, and participating in a debate about training Wednesday at noon. This is a short written preview of my solo talk, and this is an audio interview on the topic.

Additionally: Akamai is giving away 1,500 copies of Liars and Outliers, and Zcaler is giving away 300 copies of Schneier on Security. I'll be doing book signings in both of those companies' booths and at the conference bookstore.

On 23 Feb, the Governor's Association held a series of conferences in Washington D.C. The Health and DHS Committee discussed a program to deploy wireless networks nation-wide called the “First Responder Network” to address issues brought to the consciousness of the public made obvious by the “Security Theatre” Agencies. The most disturbing statements made during the meeting came from both Richard Clarke (I used to have a great level of respect for his “honesty”--no longer) and the CSO from the State of Michigan. Richard's comments just didn't hold up to basic scrutiny—and—were followed by irresponsible statements made by Michigan's CSO. Essentially the CSO blamed the end-user (people) for the problems affecting state governments with respect to cyber-security.

As is well documented, sphear phishing operates on the assumption of some level of naivete—but—technology companies share a level of responsibility when it comes to the operative behavior of systems that I'd term “fragile”. The CSO's statements didn't seem to make sense, for the last 15 years I've complained about the issues surrounding system vendors that “release” products that one could call golden (ready for production). Understanding that people could not be made to make detailed decisions about operational choices when using computer systems as tools to do their job. Understanding what is required to operate a system “safely” is not an exercise that anyone having more than a basic understanding of the technology seems to be an unreal expectation.

Microsoft, during the late 1990's, for a period of almost five years fought adopting the Common Criteria (ISO 15408, 27001) standard. The standard, though apparently complex, is basically a “best practices” for software development. Included in the standard is issue around things that aerospace companies exercise as standard practice. The IEEE draft standard(s) and licensing for software engineers has been available for some time. Though I have some real issue with the industry practices and the integrity the IEEE efforts. IEEE does little to address what I would term the “social” capital costs of technological systems deployed in/as social-political solutions. What others might say is ethics is a bit too narrow to address the issue I have identified.

Why do I mention this;

1.)Officials abuse the public's trust by either not understanding the truth, or are actively engaged in deceit. The result, poorly understood analysis of the issues put more than just their opinion at risk.

2.)Sound reasoning and rationale action is not possible based on decisions made using poor or inaccurate information. The result, decisions made put the general public at risk.

3.)If the false information is given weight or gravity it becomes and intractable situation to take on the “established in fact” propaganda propagated by the pseudo-intelligensia.

4.) The rest of us, those that have a little more information than the so-called experts, get to watch in horror and amazement as the facts are ignored and governments exercise their power on the unwitting “public.”

The part "says ResultSource's Mr. Small suggested a lengthy, successful promotional bus tour, with attendees paying $50 for a ticket that included a copy of the book. "Kevin was really smart at thinking about how to build energy and excitement around a book," said Mr. Buckingham"
makes me wonder if there'll be a Bruce bus tour anytime, what it might include, and just what sort of security theatre would be needed to be allowed on it.